CVE-2024-43364 – This stored XSS vulnerability in Cacti allows a... (How to Fix)

Q: What is the severity of CVE-2024-43364?

CVE-2024-43364 has a CVSS score of 5.7 (MEDIUM). This stored XSS vulnerability in Cacti allows authenticated users with external link creation privileges to inject malicious scripts via the title parameter. When other users view the affected page, the scripts execute in their browser context. All Cacti installations below version 1.2.28 are affected.

📋 TL;DR

This stored XSS vulnerability in Cacti allows authenticated users with external link creation privileges to inject malicious scripts via the title parameter. When other users view the affected page, the scripts execute in their browser context. All Cacti installations below version 1.2.28 are affected.

💻 Affected Systems

Products:

Cacti

Versions: All versions before 1.2.28

Operating Systems: All platforms running Cacti

Default Config Vulnerable: ⚠️ Yes

Notes: Requires user with 'External Link' creation privilege. Default installations include this privilege for certain roles.

📦 What is this software?

Cacti by Cacti

View all CVEs affecting Cacti →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, perform actions as authenticated users, redirect to malicious sites, or deploy malware to users' browsers.

🟠

Likely Case

Privilege escalation where lower-privileged users compromise administrator accounts, leading to full system compromise or data exfiltration.

🟢

If Mitigated

With proper input validation and output encoding, the malicious payload would be rendered harmless as plain text.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access with specific privileges. The vulnerability is straightforward to exploit once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.28

Vendor Advisory: https://github.com/Cacti/cacti/security/advisories/GHSA-fgc6-g8gc-wcg5

Restart Required: No

Instructions:

1. Backup your Cacti database and configuration. 2. Download Cacti 1.2.28 from the official repository. 3. Replace existing files with new version. 4. Run database upgrade script if prompted. 5. Verify functionality.

🔧 Temporary Workarounds

No official workarounds

all

The vendor states there are no known workarounds for this vulnerability

🧯 If You Can't Patch

Remove 'External Link' creation privileges from all non-essential users
Implement web application firewall rules to block XSS payloads in title parameter

🔍 How to Verify

Check if Vulnerable:

Check Cacti version via web interface or by examining the cacti.php file version header

Check Version:

grep '\$version' /path/to/cacti/include/global.php | head -1

Verify Fix Applied:

Verify version is 1.2.28 or higher and test that HTML/script input in title field is properly sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to links.php with script tags in parameters
Multiple failed login attempts followed by successful login and link creation

Network Indicators:

HTTP requests containing script tags or JavaScript in title parameter
Outbound connections to suspicious domains after visiting Cacti pages

SIEM Query:

source="cacti_access.log" AND (uri="/links.php" AND method="POST" AND (param="title" CONTAINS "<script" OR param="title" CONTAINS "javascript:"))

📊 Metadata

CVE ID: CVE-2024-43364

CVSS v3 Score: 5.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

CWE: CWE-79

Published: October 7, 2024

Last Updated: November 3, 2025

🔗 References

https://github.com/Cacti/cacti/security/advisories/GHSA-fgc6-g8gc-wcg5 Exploit,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/02/msg00010.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-43364, you might also want to check these: